[dojo-contributors] "core dojo", packaging, and the build system

Sandro Magi smagi at naasking.homeip.net
Thu Apr 6 07:41:51 EDT 2006


Alex Russell wrote:
> No, just that a system of "trusted" distribution sites is not uncommon 
> in the software world (take, for instance, CPAN).

Sure, and the gentoo ebuild system. Difference is, these distribution
systems provide checksum verification against an authoritative source to
prevent trojans.

> Folks who have 
> security considerations can do something different if need be, but 
> trying to build out a web of trust in a browser environment is 
> more-or-less untennable w/o coarse-grained trust relationships.

I agree it's probably not worth the time. But since everyone seems to be
set on going ahead with "CJAN", I just thought I'd point out the
security problems and suggest a solution.

I believe some, perhaps many, naive developers/users will make the
mistake of leaving the references to CJAN in their deployed apps.

This is a phisher's wet dream. If script download is over unencrypted
channels, they don't even need to subvert a host, they can just mount a
man-in-the-middle attack and return an arbitrary replacement script.

> Hashing in the browser is also tremendously slow. We don't have many 
> good options right now, so we work with what we've got. This is the 
> life of a web developer.

I would recommend that streamlining builds and providing a clear,
concise document for this procedure would be a better use of resources.
Perhaps an online build form even? The developer/user must necessarily
trust the server with which he is communicating, so custom builds are
always the way to go.

I believe HTTP keep-alive and browser-side script caching will make the
above faster, and definitely safer, than distributed load-balancing.

Sandro



More information about the dojo-contributors mailing list